Upload
cloudidsummit
View
525
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Gerry Gebel, President, Axiomatics Americas The most important, sensitive and valuable information your organization manages is exactly what your partners, customers and internal teams require access to. How do you implement this need-to-share business model without disclosing too much data and running afoul of laws, regulations or internal business rules? This session will describe how access policies and attributes are combined to provide a flexible and effective authorization solution.
Citation preview
Policy Enabled Access Control Mee#ng ”Need to Share” Business Requirements Gerry Gebel, President Axioma#cs Americas ggebel@axioma#cs.com @ggebel #cisNAPA
Se#ng the context
Opera0ng in a “need to share” world
#cisNAPA 2
! Think more about aBributes ! Business metadata and
! And less about en0tlements ! IT metadata
Objec0ves for this session
#cisNAPA 3
! Account managers can view/edit records of clients directly assigned to them
! Account managers can view records for all clients in their branch, except VIP clients
! Managers can view/edit records of clients assigned to their subordinates
Financial services
#cisNAPA 4
! Nurse Prac00oners in the Cardiology Department can View the Records of Heart Pa0ents
! Billing administrators can view non-‐medical data for pa0ents in the same state
! Emergency access is permiBed, but logged
Electronic health records
NIST ABAC 800-‐162 #cisNAPA 5
CRM
! Users can view customer cases for their LOB, country, region, role or if they created the case #
! Users with risk level != HIGH can approve cases ! For certain cases, e.g. Singapore, user must be domiciled in same country as the customer case
#cisNAPA 6
#cisNAPA
In the olden days, authoriza0on was about
Who?
7
Authoriza0on should really be about…
When? What? How? Where? Who? Why?
#cisNAPA 8
! ABributes ! Are sets of labels or proper0es ! Describe all aspects of en00es that must be considered for authoriza0on purposes
! ABribute Based Access Control (ABAC) ! Uses aBributes as building blocks
It’s all about the ABributes!
#cisNAPA 9
An Authoriza0on Service
De-coupled from
Applications
Standards-Compliant
Authoriza0on Service
Fine- Grained Context-Aware
Attribute-based Access Control Externalized
AuthZ
Policy-based Access Control
#cisNAPA 10
Need to Share vs. Perimeters
Does the perimeter maBer?
#cisNAPA 11
#cisNAPA 12
Source: hBp://bit.ly/U9l7wg
#cisNAPA 13
#cisNAPA 14
#cisNAPA 15
#cisNAPA 16
Source: www.arrayguard.com #cisNAPA 17
Implemen0ng the “need to share” model
Using aBributes, policies and standards
#cisNAPA 18
! eXtensible Access Control Markup Language ! An OASIS standard
! The de facto standard for fine-‐grained access control ! Current version: 3.0
! XACML defines ! A policy language ! A request / response scheme
! XML, SOAP, REST & JSON
! A reference architecture
The XACML Standard
#cisNAPA 19
The XACML Architecture
Manage Policy Administra;on Point
Decide Policy Decision Point
Support Policy Informa;on Point Policy Retrieval Point
Enforce Policy Enforcement Point
#cisNAPA 20
#cisNAPA
Authoriza0on in depth & at the right layer
21
XACML è Anywhere Authoriza0on Architecture
#cisNAPA 22
ABributes and Governance
Ensuring high fidelity aBributes
#cisNAPA 23
! See “garbage in, garbage out” principle ! Access policies rely on validity/assurance of aBribute values ! Some aBributes will be managed by aBribute governance solu0on – mostly IT data
! Other aBributes are managed by your business ac0vi0es – client data, research data, health records, etc.
The Importance of ABribute Governance
#cisNAPA 24
! Governance tools keep track of “privilege gran0ng aBributes” ! Enhances repor0ng and aBesta0on
! Governance tools expose risk scores ! Has the user’s access been cer0fied on schedule? ! Does the user have a high risk profile?
! Authoriza0on system can incorporate risk data ! If $riskScore > $threshold Then DENY access
Governance – Authoriza0on possibili0es
#cisNAPA 25
In Summary
#cisNAPA 26
! Securely enable new and exis0ng business models ! Easier to manage applica0ons
! Decouple authoriza0on from applica0on – easier to implement changes to the system
! More secure applica0ons ! Consistently enforce policies across heterogeneous plasorms and systems at the level of granularity required
! Achieve audit and regulatory compliance ! Declara0ve policy language makes audi0ng and cer0fying applica0on access a straighsorward process
#cisNAPA
Benefits of Data Governance
27
Ques0ons? Contact us at [email protected]